Tuesday, April 29, 2008

Race to STFU

If you're familiar w/ DefCon, then you know that there are always nifty contests and activities. A new one was announced on bugtraq a few days back, called The Race to Zero...

Short version is, contestants get malware samples which are detectable by AV products, and the first cat to get all the samples passed through w/ a zero detection rate wins... So, unsurprisingly the AV vendors came out and were like "bad hackers! bad defcon!!" and have been written up saying how this is adding to the state of insecurity, and encouraging the wrong behavior, blah blah blah.

But are they really thinking this through, or is it just a knee-jerk reaction? The AVG 'chief research officer' says it's hard to see the good in "encouraging people to write more viruses". Maybe I'm splitting hairs, but I'm callin you out here because there is nothing in this contest about creating new viruses. Hell, I'd challenge someone to debate whether or not the outcome of this contest will result in new virus variants. If I understand it correctly, the goal is to have a functionally intact sample obfuscated to escape detection.

This blog from Sophos is where I first heard grumbling about this issue, and it really rubbed me the wrong way...

It seems odd that the focus be on building awareness (that is already present) that signature-based detection is not enough by itself, it has been dead since the early 1990s when utilisation of polymorphic engines became widespread.

Really?!? Wait, can you say that again for me??? Signature based detection has been dead since the 1990s? Geeze, I wanna go to your reality, cause I bet you have flying cars and stuff too. I'm pretty sure that signature detection is still a major component of AV, IDS, WAF, etc in this reality. Yea, people have been talking about anomoly detection for years upon years, but commercial security products (including yours) still rely widely on signature detection. Hell, one reason we ended up picking Sophos for a global rollout a few years back was because their lab seemed to cosistantly turn around really good sigs really quickly. In fact, iirc, there wasn't any anomoly detection in Sophos until the latest release of their client software. It's been a long time, but I think SAV4 was only sig based, SAV5 was vapor, SAV6 was a clusterf*ck from an enterprise deployment standpoint and was sig based. I think it was either SAV7 or 8 where I first saw a blurb about watching for unusual behavior in software...

Essentially Defcon appears to be promoting the development of malicious software ... pseudo-benevolent coders are being challenged to add to the quagmire of nasties under the guise of promoting more widespread and generic detection

That's why you think they're doing this? Have you ever organized a contest at a security con? Do you personally know anyone who has? Cause, you see, it's kinda alot of work and planning and stress, because you want it to work out and you don't want people to be disappointed. The people who do this stuff are generally inquisitive and intelligent people who have some deeper research interest in the subject at hand. So where you assume there is some juvenile malicious intent which doesn't make much sense, I assume there may be legitmate research intenet or commentary on the AV industry...

See, if I was researching how people obfuscate malware to avoid detection, getting a bunch of smart hacker types together to produce examples of obfuscated malware might be a really good way to collect data.

Similarly, if I wanted to raise attention in an area which has been a problem for far too long, maybe I'd organize a contest to raise awareness and shame the culprits into action. You act as though a few hundred variants (at maximum) will be some paradigm shifting end of the world event, but to me it would seem to be at the very worst a drop in the bucket. Researchers say that Storm code is being repacked *by the minute*. Bad guys are using encryption and packing all over the place. And iirc, I remember reading some articles on studies where a significant percentage of malicious code was able to bypass AV detection and own the box some disconcerting percentage of the time.

This is the industry which ignored emerging internet based malware until then eventually realized that they could sell us a new poduct and make more money. Then they did the same thing with rootkits. Sorry, can you please tell me the fundemental difference between a virus and some malware and a rootkit? Because as far as I'm concerned, it's all malicious code running on a box, and I don't want it there.

I'm sorry, but I give the AV industry a big "F" for "FAIL"... The status quo isn't working. So if some people start a contest to learn something to help them think up a better defense, then I think that's great. And alternately, if they start a contest to draw attention to how much this industry is failing overall, I think the AV companies have certainly earned it.

And I'm sorry to be so negative here, because I get that AV work involves some huge technical challenges, and often times you are trying to protect OS's with flawed security models, and on and on... And I generally like Sophos too... But don't do this self-serving bitch session against people who aren't causing any real problems for real users. Organized criminals who are building botnets and paying coders tons of cash to come up with new attacks are the people you should be worried about... People who are trying to do research, lobby for change, and facilitate out of the box solutions are your friends...

4 comments:

Jens "jdm" Meyer said...

I agree.

lol

kurt wismer said...

@rwnin:
"Maybe I'm splitting hairs, but I'm callin you out here because there is nothing in this contest about creating new viruses. Hell, I'd challenge someone to debate whether or not the outcome of this contest will result in new virus variants."

modifying existing viruses makes new virus variants, by definition... since modifying existing viruses is precisely what the contest organizers are suggesting contestants do, new virus variants are exactly what they expect as results...

"Really?!? Wait, can you say that again for me??? Signature based detection has been dead since the 1990s?"

to the extent that signature based detection is dead now, it has been dead since the early 90's because the conditions that make people believe it's dead have existed since that time... which is to say that signature based detection by itself is dead, but signature based detection in conjunction with the other technologies av vendors offer is not...

"That's why you think they're doing this? "

minor nitpick - the section you quoted preceding the text i just quoted answered a 'what' question, not a 'why' question...

"You act as though a few hundred variants (at maximum) will be some paradigm shifting end of the world event"

you're making a mountain out of their molehill... they aren't running around saying that the sky is falling, they're just saying the contest is a bad idea and will have a negative outcome - there's a big difference...

"But don't do this self-serving bitch session against people who aren't causing any real problems for real users."

the fact of the matter is that there is a very real possibility that this contest will cause real problems for real users... that is always a risk when making new viruses, and even more so when it's high profile...

rwnin said...

@ kurt:

yea, i agree that modifying existing viruses makes varients, but at what level does modification warrant a varient? if i take a virus and flip one or two bits but leave the exploit method and overall functionality intact, is that really a variant? i see a variant as more of doing the same thing via a differnt sploit or using the same sploit to do a different thing... if you choose the bit change metric, it seems like each storm repack should have its own variant name and virus def...?

to the sig based detection point, i can partially agree. i think the consensus has been that sigs are not enough for the last year or two, but there are still a lot of products in a lot of spaces which use sigs as their primary detection method. so maybe it's just verbage to disagree on w/ this point. clearly sigs have a place, and clearly they cannot be our sole defense w/ the attacks we're seeing today...

i guess you're probably right about my reaction to what the AV industry has been saying... i think i'm probably hyper-sensitive to them complaining about the contest because it seems like the industry has so completely failed to do what we're paying them to do... :-\

as for the risk coming out of defcon, i'll settle for waiting to see how it plays out... ;)

thanks for reading and for sharing your opinion! if you're coming to vegas this year, drop me a line and lets hook up and i'll buy you a drink :D

kurt wismer said...

@rwnin:
"at what level does modification warrant a varient?"

simply put, any modification by something other than the virus itself constitutes a new variant...

"if i take a virus and flip one or two bits but leave the exploit method and overall functionality intact, is that really a variant? i see a variant as more of doing the same thing via a differnt sploit or using the same sploit to do a different thing..."

first - exploits are tangential to the topic of viruses...

second - it's not technically possible to detect things on the basis of functionality (though it likely takes a certain amount of understanding of the halting problem to get that point)... known-malware scanning (what most people erroneously call anti-virus) is based on binary analysis and pattern matching... flip a bit and it no longer matches the pattern...

"if you choose the bit change metric, it seems like each storm repack should have its own variant name and virus def...?"

and sometimes that is what happens with a storm repack... it depends on the packing algorithm... packed malware is such that the 'package' can be considered like an envelope around the malware - if the av engine knows how to open the envelope then it can detect a repacked storm sample with existing signatures, but if it doesn't know how to open the envelope then the av engine needs a signature for the repacked sample instead of just what's inside... as an adaptation the av vendors have taken to trying to add definitions for all known packers as well but the malware writers get around this by modifying the packers themselves to create new proprietary envelopes that av products don't recognize and/or can't open properly...

"i think the consensus has been that sigs are not enough for the last year or two, but there are still a lot of products in a lot of spaces which use sigs as their primary detection method."

i can say with certainty that the av vendors have been saying sig-based detection isn't enough for well over a decade (they just haven't been saying it in their marketing because the marketing knobs don't know what the heck they're talking about in the first place)... the focus is still on signature-based detection because at the end of the day they are still businesses and have to meet the demands of their customers and that model is the one customers are familiar with and understand (more or less)...

"it seems like the industry has so completely failed to do what we're paying them to do... :-\"

people have a lot of mismatched expectations about what the av industry should be doing (and even about what's possible)...

"as for the risk coming out of defcon, i'll settle for waiting to see how it plays out... ;)"

whatever the risk is, in the current malware climate the impact will probably be low... still, just because there's lots of garbage on the ground doesn't mean it's ok to add more to it...